Overview

The SCIM connector bundle is designed to manage provisioning through the SCIM 1.1 and 2.0 specifications.

Two different connectors are actually available within this bundle:

net.tirasa.connid.bundles.scim.v11.SCIMv11Connector
net.tirasa.connid.bundles.scim.v2.SCIMv2Connector

Supported operations

Create
Delete
Update
Search
Test
Schema

Configuration

Configuration Properties

The following table describes all of the properties that you can specify for the configuration:

Configuration Property	Type	Required	Description
baseAddress	String	X	Base address of the SCIM REST service. E.g. `https://mydomain.com/api/scim/v1/` for 1.1 version and `https://mydomain.com/api/scim/v2/` for 2.0 version
username	String		Username for authentication to the target RESTful service
password	GuardedString		Password for authentication to the target RESTful service
accept	String	X	Value for the HTTP `Accept` header; defaults to `application/json`
contentType	String	X	Value for the HTTP `Content-Type` header; defaults to `application/json`
clientId	String		Client id for authentication to the target RESTful service
clientSecret	String		Client secret for authentication to the target RESTful service
accessTokenNodeId	String		Field id of the JSON object node, returned from target Access Token RESTful service, that contains token value; defaults to access_token
accessTokenBaseAddress	String		Base address of the target RESTful service used to obtain access token
accessTokenContentType	String		Value for the HTTP Content-Type header for the target Access Token RESTful service; defaults to application/x-www-form-urlencoded
customAttributesJSON	String		SCIM Resource Schema representation in JSON format, used to specify custom attributes. See here as reference
updateMethod	String		Method used for updates (`PATCH` or `PUT`); defaults to `PATCH` for 1.1 version. Must be set to `PUT` for 2.0 version until the `PATCH` will be implemented
updateGroupMethod	String		Method used for updates on Groups (PATCH or PUT); defaults to PATCH
scimProvider	String		Defines the SCIM server implementation to which the connector is connecting to. Default value is STANDARD. Admitted values are: AWS, WSO2, SALESFORCE, STANDARD This information is needed since some providers implementations like Salesforce or AWS differ a bit from the current SCIM standard exposed in RFC-7643 and RFC-7644
manageComplexEntitlements	Boolean		Whether to manage entitlements other than the default one (SCIM v1.1 only supports the default entitlement)
explicitGroupAddOnCreate	Boolean		Whether to perform an additional update on group after user create to add the user.
genericComplexType	String		Some provider don't store information about the type of the complex attributes, is possible to define a default one
addressesType	String		Some provider don't store information about the type of the addresses attribute, is possible to define a default one.

A sample value for customAttributesJSON parameter that includes some custom attributes you want the Connector to handle:

{
  "id": "urn:scim:schemas:core:1.0:User",
  "name": "User",
  "description": "Core User",
  "schema": "urn:scim:schemas:core:1.0",
  "endpoint": "/Users",
  "attributes": [
    {
      "name": "myCustomName",
      "type": "string",
      "multiValued": false,
      "description": "",
      "schema": "urn:scim:schemas:core:1.0",
      "readOnly": false,
      "required": false,
      "caseExact": false
    }
  ]
}

The following, instead, is a sample for 2.0 version:

{
  "id": "urn:mem:params:scim:schemas:extension:LuckyNumberExtension",
  "name": "LuckyNumbers",
  "description": "Lucky Numbers",
  "endpoint": "/Users",
  "attributes": [
    {
      "name": "luckyNumber",
      "type": "integer",
      "multiValued": false,
      "description": "",
      "required": true,
      "caseExact": false,
      "mutability": "readWrite",
      "returned": "default",
      "uniqueness": "server"
    }
  ]
}

The important parts are:

attributes;
all the name and schema property of each attribute.

Indeed, the resulting schema representation will use the same name convention used for other complex attributes, e.g.:

name.familyName
addresses.other.formatted
emails.work.primary
phoneNumbers.work.value
…

so in this case it will be:

urn:scim:schemas:core:1.0.myCustomName for version 1.1.
urn:mem:params:scim:schemas:extension:LuckyNumberExtension.luckyNumber for version 2.0.

To manage version 2.0 Enterprise User attributes just use the following attributes:

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.employeeNumber
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.organization
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.costCenter
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.organization
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.department
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.displayName
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.ref
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.value

To manage version 1.1 Enterprise User attributes just use the following attributes:

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.employeeNumber
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.managerId
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.displayName

Important notes

About AWS there are some limitations described here on SCIM v2 API: they affect the current behavior of the connector, especially these 2 features are not available:

Group removal on update. If user has grp1 and grp2 and you remove grp2 and add grp3, useris going to have grp1, grp2 and grp3, i.e. grp2 is not going to be removed.
Group synchronization is not possible.

This because groups are not returned in the user result and there is no way to get group ids by user.